flubot | 3865302b66b0efee4ab31130cefdeff55c2e269c7d6dd03c0673134f98254185

Analysis

max time kernel
131s
max time network
146s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
02-09-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3865302b66b0efee4ab31130cefdeff55c2e269c7d6dd03c0673134f98254185.apk
Size

3.4MB
MD5

83c3142eeb1fc5a3d88807c0c738c543
SHA1

f0e99360e5c78ed7b8b3d08abc58aaebc9daf4c8
SHA256

3865302b66b0efee4ab31130cefdeff55c2e269c7d6dd03c0673134f98254185
SHA512

94741012e99c9685cdf7354117074f40e1f3ac4f60f934279745ceb5146eccf31701a44b23d728ad3d9c52a95af6a00dbd5bc1366bc7fb9fa2a0127b27926bdd
SSDEEP

98304:dKi5SaYvkjZRFJjAC7mc7KAndX42bIeIJ7l:tS6j7FJdx7lnh4kIDx

Score

10^/10

flubot banker collection credential_access discovery evasion infostealer persistence trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_flubot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin	4958	com.iqiyi.i18n
/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin	4958	com.iqiyi.i18n

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.iqiyi.i18n

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.iqiyi.i18n

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.iqiyi.i18n

com.iqiyi.i18n
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Queries information about active data network
PID:4958

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin

Filesize
1.5MB

MD5
681a8c94879a5fba26735daa55551a7a

SHA1
ce3e25947da0b9fb718d915a332d9c9e2fa4faae

SHA256
c24523c719067daad805b1d68cfef8d2c377a5c5f52092b96093b4488e6e82a2

SHA512
19ccd60e41489072df2f84e67840875d3ad5c83914b4d3c5e1ce209a10dc17cfc086fd66d35aa907e7110a7ab51e7d2f84be34ca1f96461316a04e09a789f7f7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads